After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written. However, 2017 will not be without challenges and the same applies to the world of privacy and data protection. Many of the big issues that arose during 2016 will need to be addressed in 2017. In addition, new questions will no doubt emerge. Here is an overview of the privacy challenges that lie ahead and what can be done about them.
At the end of 2016, territorial divisions of the Russian Data Protection Authority, Roskomnadzor, published their 2017 plans for conducting inspections of local companies’ compliance with Russian data privacy requirements, including data localization. The inspection plans contain a number of prominent multi-national and Russian companies.
On January 5, 2017 Paris Law School Panthéon-Assas launched its first university degree (diplôme d’université) aimed at training future Data Protection Officers (DPOs) under the new European General Data Protection Regulation (GDPR), which becomes effective across the EU on May 25th, 2018. Created by Paris University Professor Bénédicte Fauvarque-Cosson and Hogan Lovells partner Winston Maxwell, the new program will include courses in law, cybersecurity, data analytics, management and ethics. The faculty will include professors from various law schools, as well as practicing DPOs, information security specialists, lawyers and regulators from the CNIL (the French data protection authority), and major companies including Sanofi, Renault, GE, Axa, Lagardère, Google, Microsoft, Schneider Electric, BNP Paribas and the Banque Postale.
Speaking at the opening ceremony, Professor Fauvarque-Cosson commented: “This is an exciting time because data protection law is being created before our eyes. The new European regulation is just the start.” Winston Maxwell underlined the difficulties of the DPO role under the GDPR: “The DPO is an important management position, but it will not be easy.”
Information about the new program is available here.
To see Professor Fauvarque-Cosson’s and Winston Maxwell’s video, click here.
The European Commission has released its proposal for a new EU e-Privacy Regulation that will replace the existing e-Privacy Directive. The high level aim of the draft e-Privacy Regulation is to harmonise the specific privacy framework relating to electronic communications within the EU and ensure consistency with the GDPR. Compared to the existing Directive, the draft e-Privacy Regulation has broader territorial reach and applies generally to the provision of electronic communications services to end users in the EU and to the use of such services. It is also concerned with the protection of information related to the devices of end users located in the EU.
In this particular respect, the draft e-Privacy Regulation introduces revised and complex rules affecting end users’ terminal equipment and how data is collected in that context. Our high level assessment of the notice and consent requirements affecting various data activities involving users’ devices can be found here.
The consequences for non-compliance follow a two-tier approach as follows:
- Breaches of the rules regarding notice and consent, default privacy settings, publicly available directories and unsolicited communications may be punished with fines of up to EUR 10 million or 2% of the total worldwide annual turnover, whichever is higher.
- Breaches of the rules regarding the confidentiality of communications, permitted processing of electronic communications data and the time limits for erasure of data may be punished with fines of up to EUR 20 million or 4% of the total worldwide annual turnover, whichever is higher.
This is the beginning of the formal legislative process and now the draft is in the hands of the European Parliament and the Council of the EU.
Sam Choi, a trainee solicitor in our London office, contributed to this entry.
Please join us for our January 2017 Privacy and Cybersecurity Events.
|January 31-February 1||
The New York Department of Financial Services (NYDFS) just issued major revisions to the cybersecurity regulations for financial institutions that were due to come into effect on January 1, 2017. To allow covered institutions more time to implement the rules, the effective date will now be March 1, 2017, with a series of staggered implementation dates beyond this. There are several notable substantive changes in the revised rules.
Click here to learn more about the major changes to the proposed rules, timing and implementation details, and how to prepare for the new requirements as well as other related cybersecurity developments.
For more details on the NYDFS cybersecurity regulations for financial institutions, please see our previous blog post.
The 2016 holiday gift guides have heavily featured consumer drones; as such, it is not unfeasible that you or someone you know will receive a drone in the coming weeks. In anticipation of that happy event, on 21 December the UK Department for Transport gave its own gift: a consultation paper on ensuring the safe use of drones, to help the UK to tap into this growing market.
In yet another key case dealing with the balance between citizens’ privacy and the ability of the state to intrude into it, the Court of Justice of the European Union (CJEU) has ruled on the compatibility with European Union law of legislation that authorises the retention of communications data, which includes personal data. The reference from the UK Court of Appeal resulted from a challenge to the Data Retention and Investigatory Powers Act 2014 (DRIPA) brought by individuals that include Tom Watson, deputy leader of the Labour Party and represented by Liberty. Interveners include the Law Society of England and Wales, the Open Rights Group, and Privacy International.
The CJEU considered the compatibility of such legislation with the e-Privacy Directive, Articles 7 and 8 of the Charter of Fundamental Rights of the European Union—which protect private and family life and personal data respectively—and its previous decision in C-293/12 Digital Rights Ireland—which invalidated the Data Retention Directive.
Connected vehicles today are rolling computers able to exchange information wirelessly with manufacturers, other vehicles, and third party service providers to significantly improve safety, efficiency, and comfort for drivers. Many entities are interested in the data these connected vehicles generate and transmit. These entities include dealers and repair shops, vehicle fleet service providers, end-users, infrastructure operators, diagnostics providers, researchers, financial services companies and insurance companies. The European Commission and industry actors in Europe, while recognizing the challenges of wide-spread deployment of these technologies, have taken further steps to develop a regime that facilitates information sharing for vehicle to vehicle, vehicle to infrastructure and other communications by delineating specific actions to take in the near future. Continue Reading
No one could accuse the EU Article 29 Working Party (WP29) of not delivering as promised. Following its recently held December plenary meeting, the WP29 has released three separate guidelines with their interpretation of some key aspects of the General Data Protection Regulation, namely:
- data portability,
- data protection officers (DPOs), and
- lead supervisory authorities.
At the same time, the WP29 has confirmed its role as the “EU centralised body” for handling individual complaints under the Privacy Shield and the re-establishment of its enforcement subgroup in charge of coordinating cross-border enforcement actions. Continue Reading